Thursday, December 18, 2014

Interpretation and Definition Issues in CIP-002-5.1 R1 and Attachment 1

This is the second of a series of four posts on the serious problems with CIP-002-5.1 R1, and what NERC entities and NERC need to do to address them. The first post is here. The next post is here.

In the at least 30
posts I have done on problems with CIP-002-5.1 R1 and Attachment 1 (hereinafter
“R1”), I have identified many problems with the wording in that document. However, I’ve never gathered these together
in one post. I am now doing that, both
for the sake of clarity and to support a couple new posts I’ll be doing very soon.

This list is
important because NERC entities with Medium and High impact assets need to get
started very quickly – if they haven’t already – on developing their final
lists of cyber assets in scope for CIP v5, and they can’t do that without
having some resolution to the issues listed below[i]. Unfortunately, none of these issues have been finally resolved – that can only
done by rewriting R1, or by capital I Interpretations, which take 2-3 years.

Please note:

This is far from being a complete list of problems with
R1. For one thing, there are a
whole host of issues with the bright-line criteria, since those criteria
don’t seem to fit any asset very well.
I’m sure you could easily more than double this list by including
all of those issues. And I’m sure
there are more problems in the other parts of R1 as well.

All of the issues in this list relate to Medium impact
Transmission substations, since it is for these assets that the bulk of
the CIP v5 effort will be expended.
There are other issues that relate to control centers, generating
stations, etc. that I haven’t included in this list; I hope to add those at
a later date. On the other hand, all
entities subject to CIP v5 compliance should find this list useful. Most of the items on this list apply to
all types of BES assets, not just substations.

I have addressed some of these issues in previous posts; I
include links in those cases. I
hope to do future posts on some of the other issues.

FWIW, NERC has included a couple of these issues on their list of planned Lessons Learned and FAQs. If we’re lucky we’ll see a draft for
comment of these documents within a few months. But my guess is there aren’t too many
entities that will feel comfortable waiting a few more months to identify
their cyber assets in scope for v5, while the compliance date remains
4/1/16. If you’re still waiting to
do this, you’ve already waited too long.
You need to get moving, even though that means taking these issues into your own hands to resolve.

My suggestion is that, for each of the issues below,
entities should decide how they will interpret
each one (in conversation with their NERC Regional Entity, if possible) and
document it – then go about identifying their cyber assets in scope. Of course, any guidance NERC has
provided will be helpful, as will any advice from the Regional
Entity. But remember, the only
mandatory “guidance” is the wording of the standards themselves, along
with any capital “I” Interpretations that NERC and FERC may approve. The standards aren’t going to
change in the next few years, and there will be no Interpretations available
for at least 2-3 years. I don’t
advise anyone to wait for either of these things to happen, before they
start to become compliant with CIP v5.

Here’s the
list:

1.The
beginning of Section 4.2 of CIP-002-5.1 says “…the following Facilities,
systems, and equipment owned by each Responsible Entity in 4.1 above are
those to which these requirements are applicable…” Yet R1 talks about “BES Cyber Systems” as
being in scope and also discusses six types of “assets”. Attachment 1 discusses things like “control
center”, “generation”, “reactive resources”, “Transmission Facilities”, SPS,
RAS, and “system or group of Elements”.
What is the relation, if any, between all of these things and
“Facilities, systems and equipment” in 4.2?
And if there is no real relation, why is this wording in 4.2?

I
can see that “Facilities” might be taken to roughly correspond to the “big
iron” referenced in the bright-line criteria (i.e. roughly “assets” and true
“Facilities”). I can also see that
“systems” might refer to the BES Cyber Systems that will be in scope for
v5. But “equipment”? That sounds more like monkey wrenches and
forklift trucks. Is that really in scope
for v5? Does the entity need to come up
with a list of all the “equipment” they own and decide what impact it has on
the BES? I’m sure they don’t, but that
would be a valid interpretation of this section.

2.Subsection
4.2.2 seems to narrow “Facilities, systems and equipment” down by saying that,
for all entities listed in 4.1 except DP’s, what is in scope for them is “All
BES Facilities”. If the SDT hadn’t
capitalized “Facilities”, this would be quite easy to understand, since lower
case “facility” can generally be thought to be any of the “big iron” to which
CIP v5 might apply, including control centers, substations, generating
stations, etc. However, the fact that
Facility is capitalized means it’s a NERC defined term. If you look it up in the NERC Glossary (and
also look up Element, which is a key part of the Facility definition), you’ll
see that a Facility has to have terminals and presumably be operated at high
voltage. Do you know any control centers
that have terminals and are operated at high voltage? I don’t either. This means that all control centers are out
of scope for CIP v5! I’m sure all the
big BA’s will be pleased to hear this.[ii]

3.There’s
another “get out of jail free” card embedded in the quote from Section 4.2 in
item 1 above. Note that the “Facilities,
systems and equipment” need to be “owned by” the Responsible Entity, in order
for them to be in scope for CIP v5. So
to eliminate your CIP compliance burden, how about selling your equipment – or
even the asset itself – and leasing it back?
Businesses do this all the time as a financial strategy. There you go: You don’t own anything, so you
don’t have anything in scope for v5!

4.Of
course, the whole point of R1 is to identify and classify BES Cyber
Systems. What is the first step in that
process? If you restrict yourself to the
wording of the requirement itself, the only thing you have to go by is R1.1 –
R1.3, since they constitute the entire actionable part of the requirement. 1.1 and 1.2 tell you to respectively
“Identify each of the high impact BES Cyber Systems….” and “Identify each of
the medium impact BES Cyber Systems…”
But how do you do that? There is
nothing in the requirement to guide you, other than the definitions
themselves. And you have to work
backwards. Since you’re told BCS are
your target, you need to read the BCS definition first; of course, that
references BCAs, so you then need to read that definition; that references
Cyber Assets, so now you need to read that definition.

Why
couldn’t these three crucial steps have been each explicitly stated in R1? Better yet, why couldn’t they have been
broken up into three or four separate requirements, as was the case in CIP v1 –
v4? The whole process would have been
much easier
to understand if this had been done; plus the whole process would have been
a lot less susceptible to confusion, as shown below.

5.The
first step for identifying BES Cyber Assets/Systems is to identify Cyber
Assets, which are defined as “programmable electronic devices.” But what does “programmable”
mean? This is on NERC’s list to address,
of course, but many entities have decided they can’t wait for NERC to do
something to start their BCS identification process. These entities have developed and documented
their own definition (a number of entities – especially owners of large
generating stations – did this last summer.
They had to get going on their v5 compliance process then, if they were
going to have a good chance to meet the 4/1/16 compliance date).

6.The
definition of BES Cyber Asset includes the phrase “affect
the reliable operation of the BES”. What does this mean, and how do we measure
it? It’s safe to say that no
cyber asset has been installed in a substation, control center or generating
station purely because it looks nice.
They can all be said to affect the reliable operation of the BES in some
way, albeit small. So what distinguishes
BCAs from other cyber assets? Again, entities that can’t wait for
this issue to be clarified by NERC (and NERC hasn’t even listed this as a topic
they’ll address in the Lessons Learned) need to develop and document their own
interpretation of this phrase.
6.5 In order to classify a BES Cyber System as Medium or Low impact, you need to know which substation or Facility (see below) it is "associated with", since Section 2 of Attachment 1 says that Medium BCS are those that are associated with any asset/Facility that meets one or more of the Medium criteria. But "associated with" is not defined, nor does NERC currently plan to define it. Each entity needs to develop its own definition (although EnergySec has developed a white paper that discusses this). It could be an operational definition, stating for example how to determine which Facility or substation a relay is associated with.

7.Once
you’ve identified your BES Cyber Assets, how do you get to BES Cyber
Systems? The definition of BCS is “One
or more BES Cyber Assets logically grouped by a responsible entity to perform
one or more reliability tasks for a functional entity.” While the entity has
complete discretion on how to do that grouping, some groupings may be more efficient
than others, depending on the environment.
Fortunately, NERC does have a good Lessons
Learned document on this question; but again, it would have been nice if this
step had been explicitly called out, rather than implicitly included – along
with about four other steps – in the single word “Identify” in R1.1 and
1.2. R1’s use of very compressed
meanings works very well if you consider it haiku
poetry, but not well at all if you consider it a requirement that in theory can
carry million-dollar-a-day penalties for violation.

8.In
any case, through applying three NERC definitions (and adding a couple of our
own), we have now come up with a list of BES Cyber Systems, staying strictly
within R1 itself. But in the Guidance
and Technical Basis section of CIP-002-5.1, there is a lengthy discussion of
the BES Reliability Operating Services (aka BROS), including a description of
how they can be used to identify BES Cyber Systems; this is what I have called
the “top-down
approach” to identifying BCS (what we just did above is the “bottom-up”
approach).

However,
the BROS are nowhere referenced in R1 (or the BCA/BCS definitions) itself[iii]. What place should they play in identifying BES
Cyber Systems, vis-à-vis the “bottom-up” approach described above? Should an entity use both approaches and then
combine the results, in order to make sure they do not over- or under-identify
BCS? This question isn’t raised, let
alone answered, in CIP-002-5.1. Yet it
is very important. If the entity uses
just one approach rather than the other, there is a big risk of either under-
or over-identifying BES Cyber Systems.
And another consideration: the only approach that’s actually required by
R1 is the bottom-up one (although as I’ve just said, that “requirement” is
purely implicit in the definitions of three phrases, not overtly stated).

9.What
is the role of the six asset types (control centers, etc) listed in R1? Are they meant to be the types of assets that
are “run through” the bright-line criteria to determine which are High, Medium
or Low, or are they the locations at
which BCS can be found? If the former
interpretation is chosen, a number of wording conflicts result[iv]. If the latter interpretation is chosen, it
needs to be made clear in your R1 compliance methodology that, even though BES
Cyber Systems associated with a Medium impact substation can be located outside
of the substation itself, they have to be located at one of the six asset
types; otherwise, they need to be treated as remote users (I discussed this
question in this
very long post, under the section Questions of Scope, about 5 or 6 paragraphs
down. Also in this
post, in the section entitled “The Auditor’s Methodology”).

10.Criteria
2.4 – 2.8 apply to Facilities,
not assets. It is clear that substations
are not Facilities. Rather, Facilities
are lines, transformers, busses, etc.
Yet the regions seem to differ in their interpretation of “Facilities”
in these criteria. SPP makes clear that
Facilities are the lines, etc; NERC also indicates that. However, some regional auditors (including Joe
Baugh of WECC, in his presentation on CIP-002-5.1 in September) have indicated
that “Facilities” means “substations” in these criteria. Which should it be? If “Facilities” means lines, etc, there will
potentially be a lower compliance burden for Transmission entities, since BES
Cyber Systems at a “Medium” substation, that are not themselves associated with
a Medium Facility (line, etc) will be Low impact. For instance, at a 500kV substation that
falls under criterion 2.4, relays associated with a 230kV line will be Low
impact, not Medium. Only the relays associated
with the 500kV line(s) will be Medium impact.

11.Criteria
2.4 – 2.8 refer to “Transmission
Facilities” as being in scope. This
is to distinguish the lines, transformers, etc. that are associated with
Transmission from those that are associated with Distribution; this is
important, since in many substations both Transmission and Distribution
Facilities are present. However, there
are many questions that arise when it comes to actually separating the
equipment out. There needs to be a
definition of Transmission Facilities that entities can use to distinguish the
two types of Facilities.

12.Medium
impact BES Cyber Systems are “defined” in Attachment 1 as those that are
“associated with” Medium impact Facilities (in criteria 2.4-2.8), meaning they
don’t have to be located at the same substation as the line, breaker or
transformer they’re associated with.
However, according to NERC’s recent Lessons
Learned document, relays that are associated with a Medium impact line -
under Criterion 2.5 - through a “transfer-trip” scheme, but which are
themselves located at a Low impact substation (i.e. so-called “far-end
relays”), are Low impact. Will this exception apply in other cases where systems
(like relays) associated with a Medium impact substation or Facility are
located at a Low impact substation[v]?

13.There
are a host of issues that come up regarding equipment located in shared
substations. NERC has promised a Lessons
Learned document on this question. Entities
that can’t wait for that will have to “roll their own”.

14.If
a relay (or other device) in a substation is connected serially
to an intermediate device like a terminal server or RTU, and that intermediate
device has External Routable Connectivity, in what circumstances can the relay
itself be considered to have ERC? In
what circumstances should it not be considered to have ERC?

15.Criteria
2.6 and 2.9 both refer to IROLs, which are not used in WECC. How should WECC entities interpret these two
criteria without referring to IROLs?

16.What
does “routable” mean? There are about
three places in CIP v5 where a definition is required, but there is no NERC
definition. While this may seem like a
fairly well-understood term, it isn’t so clear cut when you look at Modbus/TCP,
DNP/IP, etc. NERC’s very well-written
2010 guideline
for identifying Critical Cyber Assets (pp. 26-29) contains a good discussion of
this issue. Should entities assume that,
if their definition of “routable” coincides with what is discussed in this
document, that they are defining it properly?

17.What
constitutes a “substation”
(there is no NERC definition)? This is
important for criterion 2.5. For
example, suppose a substation meets the 3000-point threshold in criterion 2.5,
but has two separate control rooms. If
each of these control rooms is considered part of a separate substation (say
there is a fence between them, or the entity decides to put one there to lower
their compliance costs), then each of the separate substations probably won’t
have 3000 points. Instead of one Medium
substation, there would be two Low substations, and all the BES Cyber Systems
at both “substations” would be Low impact.

18.Low
impact assets are “defined” in R1 as “assets containing a Low impact BCS”. But no inventory of cyber assets is required
for Lows, and thus BCS will never be identified at Low impact assets. How is this contradiction to be
reconciled?

19.Conversely,
the implication of this “definition” of Low assets seems to be that assets that
don’t contain a Low impact BCS aren’t even Lows. This is good, but how do you prove it to your
auditor, without inventorying all the Cyber Assets at the potential Low asset
to show that none of them meet the definition of BCA/BCS?

20.The
beginning of Section 3 (“Low Impact Rating”) of Attachment 1 reads: “BES Cyber
Systems not included in Sections 1 or 2 above that are associated with any of
the following assets…” This states
pretty clearly that the entity is to a) take their pre-existing list of BCS, b)
subtract out those BCS not identified as High or Medium impact in Sections 1 or
2, and c) identify the remainder as Low impact BCS.
There is only one problem with this: The entity is never required to
make a list of all their BCS before they start to classify them[vi]. In fact, v5 says explicitly in two places
that an inventory of Low impact BCS isn’t required. How can this contradiction be reconciled?

The views and opinions expressed here are my
own and don’t necessarily represent the views or opinions of Honeywell.

[i]
The list also contains a couple items – like 14 and 16 – that aren’t really
part of R1 per se, but are definitely part of the asset identification process
for substations. Therefore, Transmission
entities need to address these at the same time they’re applying R1 to identify
BCS.

[ii]
Of course, I don’t recommend that Southern California Edison tell WECC that
their control centers don’t have to comply with v5; there is too much other
evidence in R1 and Attachment 1 that control centers do have to comply. It was obviously a mistake by the SDT that
“Facilities” was capitalized. I know one
region has suggested to NERC that there be an errata filing for all of the v5 standards
– since this wording appears in all of them, as well as the v6 and v7 standards
– asking to un-capitalize that word in Section 4.2.2. But I doubt that will happen.

[iii]
The BROS were part of the definition of BES Cyber Asset in the first draft of
v5, so they were then the “official” means for identifying BCA/BCS; this was
changed in the second draft. See
footnote v below.

[iv]
For instance, let’s go to the Medium impact criteria in Section 2 of Attachment
1, and see if they “map” to the six asset types. Each criterion has a subject, generally at
the beginning of the criterion. Some of those
subjects do vaguely resemble items on the asset list, but how about criteria
2.2 (where the subject is “reactive resources”), 2.9 (“Each…Remedial Action
Scheme (RAS), or automated switching System that operates BES Elements..”), and
2.10 (“automatic load shedding systems”)? These aren’t on the list of six
at all. Why did the SDT carefully provide us this list of six asset types
and tell us to consider them in Attachment 1, then ignore some of them and add
some new ones when we actually get to Attachment 1? The answer is what I’ve just said: the six
asset types are the locations where
you should look for BES Cyber Systems, not what gets run through the criteria; you classify the BCS themselves using
the criteria in Attachment 1. High BCS
will always be located at a High asset, because they have to be “used by and
located at” a control center that meets one of the four High criteria. But Medium BCS don’t have to be located at a
Medium asset/Facility, since they just have to be “associated with” the
asset/Facility, not “at” it. It is
important to know that a Medium BCS has to be located at one of the six asset
types, rather than somewhere else like the home of a manager.

[v]
My opinion is they won’t, since NERC’s reasoning for their “ruling” on
Transfer-Trip relays was very specifically tied to Criterion 2.5 (and that
reasoning had first appeared in this blog
post about two months earlier, having been contributed by an Interested
Party).

[vi]
Actually, in the first draft of CIP v5, which was roundly defeated in the first
ballot in December 2011, the wording of R1 clearly required the entity to first
inventory all Cyber Assets in its
system, whether High, Medium or Low (of course, at this point in the
requirement, nothing had yet been classified High, Medium or Low impact). Then they had to determine which were BCAs
(and hence what the BCS were, although the first draft of v5 almost used the
terms BCA and BCS interchangeably). To identify
BCAs/BCS, entities had to apply the BES Reliability Operating Services analysis
to each cyber asset (since the BCA definition at the time was based on the
cyber asset’s fulfilling a BROS). Of
course, this would have been an incredible burden on entities, since it would
have literally required spending hours inventorying and classifying every cyber asset they owned. I wrote a post
on this while the first draft was being balloted, and flatter myself that I
contributed in a small way to its defeat.
R1 (and the BCA definition) was substantially rewritten at the first SDT
meeting after this ballot.